A remarkable case involving computer security, Cobell v. Norton, is now
working its way through the courts. Currently set for argument this
month before the federal appellate court in Washington, D.C., the case
raises two important issues: What are the proper remedies for privacy
violations? And can the courts dictate website security standards?

Cobell v. Norton is a class-action lawsuit that was filed June 10, 1996,
in the U.S. District Court in Washington, D.C., to force the federal
government to account for the billions of dollars that have been held in
trust since the late 19th century on behalf of approximately 500,000
Native American beneficiaries and their heirs. As trustee, the
government took legal title to the land parcels and assumed full
responsibility for management of the trust lands, including the
obligation to collect and disburse to the beneficiaries any revenue
generated by mining, oil and gas extraction, timber operations, grazing
or similar activities.

In late 2001, attorneys for the plaintiffs questioned the computer
security of the trust fund. Judge Royce C. Lamberth ordered an
investigation. The special master running the investigation hired a
computer forensics expert, who was able to break into the system with
ease. On the strength of the forensic expert's report, the court
determined that the trust accounts were vulnerable to hacking. He
immediately took the unprecedented step of ordering the Department of
the Interior to terminate all of its Internet connections on Dec. 5,
2001.